finish remaining items in conf folder

conf/attribute-filter.xml

@@ -13,7 +13,9 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
+	<!-- EXAMPLES -->
     <!-- Release some attributes to an SP. -->
+	<!--
     <AttributeFilterPolicy id="example1">
         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
 
@@ -29,8 +31,9 @@
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>
-
+	-->
     <!-- Release eduPersonAffiliation to two specific SPs. -->
+	<!--
     <AttributeFilterPolicy id="example2">
         <PolicyRequirementRule xsi:type="OR">
             <Rule xsi:type="Requester" value="https://sp.example.org" />
@@ -41,5 +44,34 @@
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
     </AttributeFilterPolicy>
+	-->
+	<AttributeFilterPolicy id="releaseToAnyone">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="displayName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+    </AttributeFilterPolicy>
+
 </AttributeFilterPolicyGroup>

conf/attribute-resolver.xml

@@ -36,40 +36,28 @@
         <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
     </AttributeDefinition>
 
-    <!--
-    The uid is the closest thing to a "standard" LDAP attribute
-    representing a local username, but you should generally *never*
-    expose uid to federated services, as it is rarely globally unique.
-    -->
-    <AttributeDefinition id="uid" xsi:type="PrincipalName">
-        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    <AttributeDefinition xsi:type="Simple" id="givenName" sourceAttributeID="givenName">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="surname" sourceAttributeID="sn">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
     </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="displayName" sourceAttributeID="displayName">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+    </AttributeDefinition> 
 
-    <!--
-    In the rest of the world, the email address is the standard identifier,
-    despite the problems with that practice. Consider making the EPPN
-    value the same as your official email addresses whenever possible.
-    -->
-    <AttributeDefinition id="mail" xsi:type="Template">
-        <Dependency ref="uid" />
+    <AttributeDefinition xsi:type="Simple" id="mail" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
         <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
         <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
-        <Template>
-          <![CDATA[
-               ${uid}@example.org
-          ]]>
-        </Template>
-        <SourceAttribute>uid</SourceAttribute>
-    </AttributeDefinition>
-
-    <!--
-    This is an example of an attribute sourced from a data connector.
-    -->
-    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="affiliation">
-        <Dependency ref="staticAttributes" />
-        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
     </AttributeDefinition>
 
 
@@ -82,5 +70,21 @@
             <Value>member</Value>
         </Attribute>
     </DataConnector>
+
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
+        principal="%{idp.attribute.resolver.LDAP.bindDN}"
+        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
+        <FilterTemplate>
+            <![CDATA[
+                %{idp.attribute.resolver.LDAP.searchFilter}
+            ]]>
+        </FilterTemplate>
+		<dc:ReturnAttributes>givenName sn displayName mail uid</dc:ReturnAttributes>
+    </DataConnector>
 
 </AttributeResolver>

conf/authn/krb5-authn-config.xml

@@ -21,10 +21,10 @@
     The keytab bean must be an absolute file pathname and not a reference to a classpath resource,
     so if idp.home is not a path, don't use it in the value.
     -->
-    <!--
-    <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="SERVICE/principal" />
-    <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/keytab" />
-    -->
+
+    <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="HTTP/idp.testbed.tier.internet2.edu@TESTBED.TIER.INTERNET2.EDU" />
+    <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/http.keytab" />
+
 
     <alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/>
 

conf/authn/password-authn-config.xml

@@ -14,8 +14,8 @@
 
     <!-- Choose an import based on the back-end you want to use. -->
     <!-- <import resource="jaas-authn-config.xml" /> -->
-    <!-- <import resource="krb5-authn-config.xml" /> -->
-    <import resource="ldap-authn-config.xml" />
+    <import resource="krb5-authn-config.xml" />
+    <!--<import resource="ldap-authn-config.xml" />-->
 
 
     <!-- Names of form fields to pull username and password from. -->

conf/idp.properties

@@ -2,7 +2,7 @@
 idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties
 
 # Set the entityID of the IdP
-idp.entityID= https://idp-dev.testbed.tier.internet2.edu/idp/shibboleth
+idp.entityID= https://idp.testbed.tier.internet2.edu/idp/shibboleth
 
 # Set the scope used in the attribute resolver for scoped attributes
 idp.scope= testbed.tier.internet2.edu
@@ -26,8 +26,8 @@ idp.scope= testbed.tier.internet2.edu
 #idp.sealer.aliasBase = secret
 idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
 idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
-idp.sealer.storePassword= Gr34tPass!
-idp.sealer.keyPassword= Gr34tPass!
+idp.sealer.storePassword= changeit
+idp.sealer.keyPassword= changeit
 
 # Settings for public/private signing and encryption key(s)
 # During decryption key rollover, point the ".2" properties at a second

conf/ldap.properties

@@ -5,9 +5,9 @@
 #idp.authn.LDAP.authenticator                   = anonSearchAuthenticator
 
 ## Connection properties ##
-idp.authn.LDAP.ldapURL                          = ldap://localhost:10389
-#idp.authn.LDAP.useStartTLS                     = true
-#idp.authn.LDAP.useSSL                          = false
+idp.authn.LDAP.ldapURL                          = ldap://ldap.testbed.tier.internet2.edu
+idp.authn.LDAP.useStartTLS                     = false
+idp.authn.LDAP.useSSL                          = false
 # Time in milliseconds that connects will block
 #idp.authn.LDAP.connectTimeout                  = PT3S
 # Time in milliseconds to wait for responses
@@ -27,13 +27,13 @@ idp.authn.LDAP.returnAttributes                 = passwordExpirationTime,loginGr
 
 # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
 # for AD: CN=Users,DC=example,DC=org
-idp.authn.LDAP.baseDN                           = ou=people,dc=example,dc=org
+idp.authn.LDAP.baseDN                           = ou=People,dc=testbed,dc=tier,dc=internet2,dc=edu
 #idp.authn.LDAP.subtreeSearch                   = false
 idp.authn.LDAP.userFilter                       = (uid={user})
 # bind search configuration
 # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
-idp.authn.LDAP.bindDN                           = uid=myservice,ou=system
-idp.authn.LDAP.bindDNCredential                 = myServicePassword
+idp.authn.LDAP.bindDN                           = 
+idp.authn.LDAP.bindDNCredential                 = 
 
 # Format DN resolution, used by directAuthenticator, adAuthenticator
 # for AD use idp.authn.LDAP.dnFormat=%s@domain.com